On 04/30/2017 03:36 AM, [email protected] wrote: > Hi, > > Thanks for clarification. > After tinkering with rules/providers and changing to > "USE_DEFAULT_RT=Yes" I've got IP traffic routed. > > Now some tricky stuff. DNS, Web, Mail and ftp are running on DMZ > 192.168.1.2, while Squid transparent proxy on the same PC as firewall. > Internal loc zone is 192.168.0.xx. > I made these rules for www, pop3, imap and ftp (*_all_* because of 2 > ISP connections) > > ||*|DNAT all dmz:192.168.1.2 tcp www > |*|*DNAT all dmz:192.168.1.2 tcp pop3* > .... etc| > | > BTW, is it possible to make rules like these:| > ||*|DNAT all dmz:192.168.1.2 tcp www, ftp, pop3, imap, 53|*
|*Yes: DNAT all dmz:192.168.1.2 tcp www,ftp,pop3,imap,53 *| > > Will this rule work for transparent proxy (where 192.168.1.2 - IP of > our web server running on DMZ.) ? > *REDIRECT loc 3128 tcp www - !192.168.1.2* *Yes* > How I can set Squid (running on firewall) to use DNS server running on > DMZ 192.168.1.2 ? > > *|DNAT all dmz:192.168.1.2 tcp 53 > |*||*DNAT all dmz:192.168.1.2 udp 53* > > ||Or Squid option > *dns_nameservers 192.168.1.2* *That is the best way.* > > PS. From loc zone 192.168.0.xx services like web, mail should be > accessible via normal domain names, e.g. www.domain.com, > mail.domain.com, etc. They will be if you use the DNAT rules you show above. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
